Security detection

ABSTRACT

A computer implemented method, computer program product and comprising rolling an image to a point in time in a protection window by applying write data using write metadata and examining read metadata, the write data, and the write metadata to determine if the image was accessed by an intruder.

A portion of the disclosure of this patent document may contain commandformats and other computer language listings, all of which are subjectto copyright protection. The copyright owner has no objection to thefacsimile reproduction by anyone of the patent document or the patentdisclosure, as it appears in the Patent and Trademark Office patent fileor records, but otherwise reserves all copyright rights whatsoever.

TECHNICAL FIELD

This invention relates to data replication.

BACKGROUND

Computer data is vital to today's organizations, and a significant partof protection against disasters is focused on data protection. Assolid-state memory has advanced to the point where cost of memory hasbecome a relatively insignificant factor, organizations can afford tooperate with systems that store and process terabytes of data.

Conventional data protection systems include tape backup drives, forstoring organizational production site data on a periodic basis. Suchsystems suffer from several drawbacks. First, they require a systemshutdown during backup, since the data being backed up cannot be usedduring the backup operation. Second, they limit the points in time towhich the production site can recover. For example, if data is backed upon a daily basis, there may be several hours of lost data in the eventof a disaster. Third, the data recovery process itself takes a longtime.

Another conventional data protection system uses data replication, bycreating a copy of the organization's production site data on asecondary backup storage system, and updating the backup with changes.The backup storage system may be situated in the same physical locationas the production storage system, or in a physically remote location.Data replication systems generally operate either at the applicationlevel, at the file system level, at the hypervisor level or at the datablock level.

Current data protection systems try to provide continuous dataprotection, which enable the organization to roll back to any specifiedpoint in time within a recent history. Continuous data protectionsystems aim to satisfy two conflicting objectives, as best as possible;namely, (i) minimize the down time, in which the organization productionsite data is unavailable, during a recovery, and (ii) enable recovery asclose as possible to any specified point in time within a recenthistory.

Continuous data protection typically uses a technology referred to as“journaling,” whereby a log is kept of changes made to the backupstorage. During a recovery, the journal entries serve as successive“undo” information, enabling rollback of the backup storage to previouspoints in time. Journaling was first implemented in database systems,and was later extended to broader data protection.

One challenge to continuous data protection is the ability of a backupsite to keep pace with the data transactions of a production site,without slowing down the production site. The overhead of journalinginherently requires several data transactions at the backup site foreach data transaction at the production site. As such, when datatransactions occur at a high rate at the production site, the backupsite may not be able to finish backing up one data transaction beforethe next production site data transaction occurs. If the production siteis not forced to slow down, then necessarily a backlog of un-logged datatransactions may build up at the backup site. Without being able tosatisfactorily adapt dynamically to changing data transaction rates, acontinuous data protection system chokes and eventually forces theproduction site to shut down.

SUMMARY

A computer implemented method, computer program product and comprisingrolling an image to a point in time in a protection window by applyingwrite data using write metadata and examining read metadata, the writedata, and the write metadata to determine if the image was accessed byan intruder.

BRIEF DESCRIPTION OF THE DRAWINGS

Objects, features, and advantages of embodiments disclosed herein may bebetter understood by referring to the following description inconjunction with the accompanying drawings. The drawings are not meantto limit the scope of the claims included herewith. For clarity, notevery element may be labeled in every Figure. The drawings are notnecessarily to scale, emphasis instead being placed upon illustratingembodiments, principles, and concepts. Thus, features and advantages ofthe present disclosure will become more apparent from the followingdetailed description of exemplary embodiments thereof taken inconjunction with the accompanying drawings in which:

FIG. 1 is a simplified illustration of a data protection system, inaccordance with an embodiment of the present disclosure;

FIG. 2 is a simplified illustration of a write transaction for ajournal, in accordance with an embodiment of the present disclosure;

FIG. 3 is a simplified illustration of a replication of read IOmetadata, write IO, and IO command metadata, in accordance with anembodiment of the present disclosure;

FIG. 4a is a simplified example of a method of replicating IO, inaccordance with an embodiment of the present disclosure;

FIG. 4b is a simplified example of a method accessing a point in time,in accordance with an embodiment of the present disclosure;

FIG. 5 is a simplified illustration of accessing a point in time withread and write IO data, in accordance with an embodiment of the presentdisclosure;

FIG. 6 is a simplified illustration of a replication of read IOmetadata, write IO, and IO command metadata being replicated in ahypervisor with the IO being split at a storage layer, in accordancewith an embodiment of the present disclosure;

FIG. 7a is an alternative simplified example of a method of replicatingIO, in accordance with an embodiment of the present disclosure;

FIG. 7b is a simplified example of a method accessing a point in time,in accordance with an embodiment of the present disclosure;

FIG. 8 is a simplified illustration of accessing a point in time withread and write IO data for a virtual machine, in accordance with anembodiment of the present disclosure;

FIG. 9 is a simplified illustration of a replication of read IOmetadata, write IO, and IO command metadata being replicated in ahypervisor with the IO being split in the hypervisor, in accordance withan embodiment of the present disclosure;

FIG. 10a is an alternative simplified example of a method of replicatingIO, in accordance with an embodiment of the present disclosure;

FIG. 10b is a simplified example of a method accessing a point in time,in accordance with an embodiment of the present disclosure;

FIG. 11 is an alternative simplified illustration of accessing a pointin time with read and write IO data for a virtual machine, in accordancewith an embodiment of the present disclosure;

FIG. 12 an example of an embodiment of an apparatus that may utilize thetechniques described herein, in accordance with an embodiment of thepresent disclosure; and

FIG. 13 is an example of an embodiment of a method embodied on acomputer readable storage medium that may utilize the techniquesdescribed herein, in accordance with an embodiment of the presentdisclosure.

DETAILED DESCRIPTION

Typically during an advanced persistent threat (ATP), an attacker readsdata to be stolen, encrypts it and then sends it over a WAN. Generally,since the sent data is encrypted, it can be very hard to know whichfiles were stolen. In certain embodiment, the current disclosure mayenable detection of which files were accessed at the time of theft andmay allow detection of what was stolen. In other embodiments, anotification of unauthorized access at a point in time may enable areplication image to be rolled to that point in time. In manyembodiments, read metadata and write data may be kept for points in timein a protection window enabling read and write access to be examined forpoints in time within that protection window. In many embodiments, aprotection window may correspond to a period of time for which a log orjournal corresponding to read and write access to a LUN, group of LUNs,or consistency group is kept. In many embodiments, read and writeactivity may include command data and commands.

In some embodiments, a splitter may be configured to send metadata ofread commands arriving to a LU to a journal. In many embodiments, ajournal may store read metadata in addition to write IO data. In certainembodiments, command may also be stored in a journal. In mostembodiments, it may be possible to detect both read activity to a diskand write activity to a disk at any point in time during a replicationwindow.

In certain embodiments, using traces from read metadata and write data,a system may be able to look at a point in time. In many embodiments, itmay be possible to roll to a point in time of interest. In mostembodiments, it may be possible to parse a file system and detect whichfiles were accessed, either read and/or written to, at the point oftime. In an embodiment, it may be able to detect which files wherecreated during the period of time. In certain embodiments, it may beable to determine what files were accessed at that point in time. Inmany embodiments, it may be possible to detect if an encrypted file wascreated and to what file or files encrypted file corresponds. In someembodiments, this may be possible as a journal may contain the data ofwrites and metadata corresponding to reads. In most embodiments, thismay enable automatic detection of which files may have been stolenduring an APT.

In some embodiments, splitting of read metadata and write data may beperformed at a storage level and ATP itself may not be able to hide theaccesses and may not be able to detect that the ATP is being monitored.In other embodiments, a splitter may be located in a hypervisor. In afurther embodiment, a splitter may be located in a virtual machine. Inmost embodiments, command data, in addition to read metadata and writedata may be captured.

In most embodiments, a splitter resident outside of a hypervisor maysplit IO written by the hypervisor at the storage layer to a replicationappliance. In certain embodiments, a splitter may send information aboutread IOs by the hypervisor to a data protection appliance. In manyembodiments, a splitter stored in a storage layer may split metadatainformation about read IO. In other embodiments, a splitter stored in ahypervisor may split metadata about read IO.

In further embodiments, by recording read metadata about IOs, it may beunderstood what files were accessed by which machines, physical orvirtual. In many embodiments, recording metadata about read IOs mayenable a recreation of every activity performed by a machine, physicalor virtual. In many embodiments, in conjunction with write IO activity,a full picture of the actions of a machine may be created. In someembodiments, if a splitter is located in the storage layer, a machine,both physical or virtual, may have no way to detect that it's read andwrite IOs are being recoded. In other embodiments, if the splitter isplaced in a VM, the virtual machine may be able to detect that IOs arebeing tracked by a splitter. In some embodiments, reading particularfiles or sets of files may indicate suspicious activity.

According to a study done by Scott & Scott LLP of over 700 businesses,85% of respondents confirmed they had been the victims of a securitybreach. In many embodiments, a challenge for security with virtualmachines may be that in virtual machine environments, virtual machinesappear and disappear. In many embodiments, this may lead to dangeroussecurity issues. In some embodiments, a threat from a virtual machinemay be from an internal threat, such as an employee, or an externalthreat such as a hacker.

Typically, a hypervisor may serve as a container or virtual environmentfor one or more virtual machines. Conventionally, a virtual machine mayinteract with resources in a hypervisor and the virtual machine may beunaware that it is not a physical machine. Generally, a hypervisor mayprovide resources to a virtual machine. Usually, the hypervisortranslates physical resources, such as LUNs and processing power, intoresources able to be used by a virtual machine. Conventionally, ahypervisor stores one or more virtual machines disks together in avirtual machine file system on physical storage or on a LUN. Usually, avirtual machine file system may appear as a single file to processesoutside the hypervisor. Generally, a virtual machine may be created anddeleted in virtualized environments. Typically, some virtual machinesare long lived while others exist for short periods of time and arecreated for specific tasks. In certain embodiments herein, theapplication may refer to suspicious activity. In many embodiments,suspicious activity may indicate activity that is outside of theordinary and may indicate a hacker or other data breach.

In certain embodiments as used herein, reference may be made to astorage layer. In most embodiments, a storage layer may be outside ofand not visible to a virtual machine inside a hypervisor. In manyembodiments, a hypervisor layer may provide a layer of abstraction thatabstracts away the physical storage or logical storage that existsoutside of the hypervisor. In almost all embodiments, a virtual machinemay be ignorant of and unable to examine the storage layer outside ofthe hypervisor.

In most embodiments, if someone has access to a virtual infrastructure,then generally that person may be able to cause significant damage tothat environment. In many embodiments, if an attacker destroyed avirtual machine that the attacker was using, then there may be no recordof the content of the virtual machine. In certain embodiments, if anattacker had access to a virtual infrastructure, the attacker may beable to delete logs and mask or remove evidence of the existence of anycreated virtual machines.

In some embodiments, an indication of data associated with a destroyedvirtual machine may be auditing logs of a hypervisor which may includecreation and deletion time of the VM. Typical backup technologies maynot be good enough to trace what a destroyed virtual machine did as a VMmay be created and deleted within a backup window, leaving little to notrace of the VM when a back-up occurs. Usually, if a back-up window isevery day, then a user may only know what VMs existed at the time of daythe back-up was taken. In some embodiments, a user with access toauditing logs of a hypervisor may be able to delete the logs, or thelogs may be corrupted in a production environment. In other embodiments,if nothing more than the creation and deletion time of a VM isavailable, little analysis may be done on that VM.

In some embodiments, replication of one or more LUNs on which VM data isstored may enable access to a VM that has been deleted. In certainembodiments, replication of LUNs containing data storage of a hypervisormay be from a backend storage array using a continuous data protectiontechnology. In most embodiments, replication at a storage array may beoutside of and unreachable from within a hypervisor. In manyembodiments, a virtual machine within a hypervisor may have no way todetect replication outside of the hypervisor or on a storage array. Incertain embodiments, an attacker using a virtual machine may have noknowledge or way to detect that the actions of the virtual machine arebeing traced in a physical infrastructure.

In some embodiments, a storage layer splitter may create a replica copyof a hypervisor's virtual machine file system containing virtualmachines along with a journal enabling any point in time access to thevolume containing the virtual machines. In most embodiments, split IOmay enable access to any point in time within a given protection window.In many embodiments, split IO may track each IO that occurs in a virtualenvironment. In certain embodiments, split IO may create a continuousdata protection copy of IO written to a production site for lateranalysis. In some embodiments, split IO may create a continuous dataprotection copy of IO written to a replication site for later analysis.In many embodiments, a system may periodically access a point in timeusing split IO. In certain embodiments, an accessed pointed in time maybe used to mount a VMFS to a replication appliance. In most embodiments,a mounted VMFS may be analyzed to determine information about a virtualenvironment. In some embodiments, information about a virtualenvironment may include how many virtual machines are present and whatfiles the virtual machines are accessing.

In at least some embodiments, a replication appliance may parse a VMFS.In some embodiments, a replication appliance may create a database ofcurrently available VMs at a given point in time. In certainembodiments, a replication appliance may mount a VMDK at a point in timeand add a list of file within the VMDKs to a database. In manyembodiments, a database may include auditing information such as who orwhat process created the VMs. In most embodiments, using continuous dataprotection, any point in time within a given time frame may be accessed,which may enable access to any virtual machine created or destroyedwithin that time window. In almost all embodiments, access to a virtualmachine within a protection window may enable analysis of the activitiesof that virtual machine within the protection window.

In further embodiments, if suspicious activity is discovered, a databasemay be searched and a suspicious virtual machine may be restored. Insome embodiments, an analytics engine may run on a database of virtualmachines to look for suspicious activities. In certain embodiments,creation or deletion of one or more VMs too often may denote asuspicious activity. In other embodiments, a given file name or filecontent may denote a suspicious activity.

In most embodiments, when replication is performed on a backend storagearray, a person without access to the storage array may not be able tocorrupt or hide data on that storage array, even if that person orprocess has full access to a virtualization and hypervisor layer. Inmany embodiments, processing may be performed at a replica appliance atreplica storage and the processing may not interfere with or benoticeable by virtual machines running in production environment. Inmany embodiments, continuous data protection (CDP) monitoring may enabletracking activities of a suspicious virtual machine and recover thevirtual machine to any point in time. In many embodiments, being able torecover changes in a virtual machine may lead to information about abreach.

The following may be helpful in understanding the specification andclaims:

BACKUP SITE—may be a facility where replicated production site data isstored; the backup site may be located in a remote site or at the samelocation as the production site; a backup site may be a virtual orphysical site; a backup site may be referred to alternatively as areplica site or a replication site;

CLONE—a clone may be a copy or clone of the image or images, drive ordrives of a first location at a second location;

DELTA MARKING STREAM—may mean the tracking of the delta between theproduction and replication site, which may contain the meta data ofchanged locations, the delta marking stream may be kept persistently onthe journal at the production site of the replication, based on thedelta marking data the DPA knows which locations are different betweenthe production and the replica and transfers them to the replica to makeboth sites identical.

DPA—may be Data Protection Appliance a computer or a cluster ofcomputers, or a set of processes that serve as a data protectionappliance, responsible for data protection services including inter aliadata replication of a storage system, and journaling of I/O requestsissued by a host computer to the storage system; The DPA may be aphysical device, a virtual device running, or may be a combination of avirtual and physical device.

RPA—may be replication protection appliance, is another name for DPA. AnRPA may be a virtual DPA or a physical DPA.

HOST—may be at least one computer or networks of computers that runs atleast one data processing application that issues I/O requests to one ormore storage systems; a host is an initiator with a SAN; a host may be avirtual machine

HOST DEVICE—may be an internal interface in a host, to a logical storageunit;

IMAGE—may be a copy of a logical storage unit at a specific point intime;

INITIATOR—may be a node in a SAN that issues I/O requests;

JOURNAL—may be a record of write transactions issued to a storagesystem; used to maintain a duplicate storage system, and to rollback theduplicate storage system to a previous point in time;

LOGICAL UNIT—may be a logical entity provided by a storage system foraccessing data from the storage system;

LUN—may be a logical unit number for identifying a logical unit; mayalso refer to one or more virtual disks or virtual LUNs, which maycorrespond to one or more Virtual Machines. As used herein, LUN and LUmay be used interchangeably to refer to a LU.

Management and deployment tools—may provide the means to deploy, controland manage the RP solution through the virtual environment managementtools

PHYSICAL STORAGE UNIT—may be a physical entity, such as a disk or anarray of disks, for storing data in storage locations that can beaccessed by address;

PRODUCTION SITE—may be a facility where one or more host computers rundata processing applications that write data to a storage system andread data from the storage system; may be a virtual or physical site.

SAN—may be a storage area network of nodes that send and receive I/O andother requests, each node in the network being an initiator or a target,or both an initiator and a target;

SOURCE SIDE—may be a transmitter of data within a data replicationworkflow, during normal operation a production site is the source side;and during data recovery a backup site is the source side; may be avirtual or physical site

SNAPSHOT—a Snapshot may refer to differential representations of animage, i.e. the snapshot may have pointers to the original volume, andmay point to log volumes for changed locations. Snapshots may becombined into a snapshot array, which may represent different imagesover a time period.

STORAGE SYSTEM—may be a SAN entity that provides multiple logical unitsfor access by multiple SAN initiators

TARGET—may be a node in a SAN that replies to I/O requests;

TARGET SIDE—may be a receiver of data within a data replicationworkflow; during normal operation a back site is the target side, andduring data recovery a production site is the target side; may be avirtual or physical site

WAN—may be a wide area network that connects local networks and enablesthem to communicate with one another, such as the Internet.

SPLITTER/PROTECTION AGENT: may be an agent running either on aproduction host a switch or a storage array which can intercept IO andsplit them to a DPA and to the storage array, fail IO redirect IO or doany other manipulation to the IO; the splitter or protection agent maybe used in both physical and virtual systems. The splitter may be in theIO stack of a system and may be located in the hypervisor for virtualmachines. May be referred to herein as an Open Replicator Splitter(ORS).

VIRTUAL VOLUME: may be a volume which is exposed to host by avirtualization layer, the virtual volume may be spanned across more thanone site and or volumes

VASA: may be a set of vCenter providers that allow an administrator tomanage storage

VMFS: may be a virtual machine file system, a file system provided byVMware for storing a virtual machine

VMDK: may be a virtual machine disk file containing a disk data in aVMFS. Analog to a LUN in a block storage array. In some embodiments aVMDK may have a file system. In certain embodiments, the file system maybe NTFS. In other embodiments, the file system may be FAT. In furtherembodiments the file system may be FAT32. In still further embodiments,the file system may be ext4.

Virtual RPA (vRPA)/Virtual DPA (vDPA): may be a DPA running in a VM.

VASA may be vSphere Storage application program interfaces (APIs) forStorage Awareness.

MARKING ON SPLITTER: may be a mode in a splitter where intercepted IOsare not split to an appliance and the storage, but changes (meta data)are tracked in a list and/or a bitmap and I/O is immediately sent todown the IO stack.

FAIL ALL MODE: may be a mode of a volume in the splitter where all writeand read IOs intercepted by the splitter are failed to the host, butother SCSI commands like read capacity are served.

LOGGED ACCESS: may be an access method provided by the appliance and thesplitter, in which the appliance rolls the volumes of the consistencygroup to the point in time the user requested and let the host accessthe volumes in a copy on first write base.

VIRTUAL ACCESS: may be an access method provided by the appliance andthe splitter, in which the appliance exposes a virtual volume from aspecific point in time to the host, the data for the virtual volume ispartially stored on the remote copy and partially stored on the journal.

CDP: Continuous Data Protection, may refer to a full replica of a volumeor a set of volumes along with a journal which allows any point in timeaccess, the CDP copy is at the same site, and maybe the same storagearray of the production site

CRR: Continuous Remote Replica may refer to a full replica of a volumeor a set of volumes along with a journal which allows any point in timeaccess at a site remote to the production volume and on a separatestorage array.

A description of journaling and some techniques associated withjournaling may be described in the patent titled METHODS AND APPARATUSFOR OPTIMAL JOURNALING FOR CONTINUOUS DATA REPLICATION and with U.S.Pat. No. 7,516,287, and METHODS AND APPARATUS FOR OPTIMAL JOURNALING FORCONTINUOUS DATA REPLICATION and with U.S. Pat. No. 8,332,687, which arehereby incorporated by reference. A description of synchronous andasynchronous replication may be described in the patent titledDYNAMICALLY SWITCHING BETWEEN SYNCHRONOUS AND ASYNCHRONOUS REPLICATIONand with U.S. Pat. No. 8,341,115, which is hereby incorporated byreference.

A discussion of image access may be found in U.S. patent applicationSer. No. 12/969,903 entitled “DYNAMIC LUN RESIZING IN A REPLICATIONENVIRONMENT” filed on Dec. 16, 2010 assigned to EMC Corp., which ishereby incorporated by reference.

Description of Embodiments Using of a Five State Journaling Process

Reference is now made to FIG. 1, which is a simplified illustration of adata protection system 100, in accordance with an embodiment of thepresent invention. Shown in FIG. 1 are two sites; Site I, which is aproduction site, on the right, and Site II, which is a backup site, onthe left. Under normal operation the production site is the source sideof system 100, and the backup site is the target side of the system. Thebackup site is responsible for replicating production site data.Additionally, the backup site enables rollback of Site I data to anearlier pointing time, which may be used in the event of data corruptionof a disaster, or alternatively in order to view or to access data froman earlier point in time.

During normal operations, the direction of replicate data flow goes fromsource side to target side. It is possible, however, for a user toreverse the direction of replicate data flow, in which case Site Istarts to behave as a target backup site, and Site II starts to behaveas a source production site. Such change of replication direction isreferred to as a “failover”. A failover may be performed in the event ofa disaster at the production site, or for other reasons. In some dataarchitectures, Site I or Site II behaves as a production site for aportion of stored data, and behaves simultaneously as a backup site foranother portion of stored data. In some data architectures, a portion ofstored data is replicated to a backup site, and another portion is not.

The production site and the backup site may be remote from one another,or they may both be situated at a common site, local to one another.Local data protection has the advantage of minimizing data lag betweentarget and source, and remote data protection has the advantage is beingrobust in the event that a disaster occurs at the source side.

The source and target sides communicate via a wide area network (WAN)128, although other types of networks are also adaptable for use withthe present invention.

In accordance with an embodiment of the present invention, each side ofsystem 100 includes three major components coupled via a storage areanetwork (SAN); namely, (i) a storage system, (ii) a host computer, and(iii) a data protection appliance (DPA). Specifically with reference toFIG. 1, the source side SAN includes a source host computer 104, asource storage system 108, and a source DPA 112. Similarly, the targetside SAN includes a target host computer 116, a target storage system120, and a target DPA 124.

Generally, a SAN includes one or more devices, referred to as “nodes”. Anode in a SAN may be an “initiator” or a “target”, or both. An initiatornode is a device that is able to initiate requests to one or more otherdevices; and a target node is a device that is able to reply torequests, such as SCSI commands, sent by an initiator node. A SAN mayalso include network switches, such as fiber channel switches. Thecommunication links between each host computer and its correspondingstorage system may be any appropriate medium suitable for data transfer,such as fiber communication channel links.

In an embodiment of the present invention, the host communicates withits corresponding storage system using small computer system interface(SCSI) commands.

System 100 includes source storage system 108 and target storage system120. Each storage system includes physical storage units for storingdata, such as disks or arrays of disks. Typically, storage systems 108and 120 are target nodes. In order to enable initiators to send requeststo storage system 108, storage system 108 exposes one or more logicalunits (LU) to which commands are issued. Thus, storage systems 108 and120 are SAN entities that provide multiple logical units for access bymultiple SAN initiators.

Logical units are a logical entity provided by a storage system, foraccessing data stored in the storage system. A logical unit isidentified by a unique logical unit number (LUN). In an embodiment ofthe present invention, storage system 108 exposes a logical unit 136,designated as LU A, and storage system 120 exposes a logical unit 156,designated as LU B.

In an embodiment of the present invention, LU B is used for replicatingLU A. As such, LU B is generated as a copy of LU A. In one embodiment,LU B is configured so that its size is identical to the size of LU A.Thus for LU A, storage system 120 serves as a backup for source sidestorage system 108. Alternatively, as mentioned hereinabove, somelogical units of storage system 120 may be used to back up logical unitsof storage system 108, and other logical units of storage system 120 maybe used for other purposes. Moreover, in certain embodiments of thepresent invention, there is symmetric replication whereby some logicalunits of storage system 108 are used for replicating logical units ofstorage system 120, and other logical units of storage system 120 areused for replicating other logical units of storage system 108.

System 100 includes a source side host computer 104 and a target sidehost computer 116. A host computer may be one computer, or a pluralityof computers, or a network of distributed computers, each computer mayinclude inter alia a conventional CPU, volatile and non-volatile memory,a data bus, an I/O interface, a display interface and a networkinterface. Generally a host computer runs at least one data processingapplication, such as a database application and an e-mail server.

Generally, an operating system of a host computer creates a host devicefor each logical unit exposed by a storage system in the host computerSAN. A host device is a logical entity in a host computer, through whicha host computer may access a logical unit. In an embodiment of thepresent invention, host device 104 identifies LU A and generates acorresponding host device 140, designated as Device A, through which itcan access LU A. Similarly, host computer 116 identifies LU B andgenerates a corresponding device 160, designated as Device B.

In an embodiment of the present invention, in the course of continuousoperation, host computer 104 is a SAN initiator that issues I/O requests(write/read operations) through host device 140 to LU A using, forexample, SCSI commands. Such requests are generally transmitted to LU Awith an address that includes a specific device identifier, an offsetwithin the device, and a data size. Offsets are generally aligned to 512byte blocks. The average size of a write operation issued by hostcomputer 104 may be, for example, 10 kilobytes (KB); i.e., 20 blocks.For an I/O rate of 50 megabytes (MB) per second, this corresponds toapproximately 5,000 write transactions per second.

System 100 includes two data protection appliances, a source side DPA112 and a target side DPA 124. A DPA performs various data protectionservices, such as data replication of a storage system, and journalingof I/O requests issued by a host computer to source side storage systemdata. As explained in detail hereinbelow, when acting as a target sideDPA, a DPA may also enable rollback of data to an earlier point in time,and processing of rolled back data at the target site. Each DPA 112 and124 is a computer that includes inter alia one or more conventional CPUsand internal memory.

For additional safety precaution, each DPA is a cluster of suchcomputers. Use of a cluster ensures that if a DPA computer is down, thenthe DPA functionality switches over to another computer. The DPAcomputers within a DPA cluster communicate with one another using atleast one communication link suitable for data transfer via fiberchannel or IP based protocols, or such other transfer protocol. Onecomputer from the DPA cluster serves as the DPA leader. The DPA clusterleader coordinates between the computers in the cluster, and may alsoperform other tasks that require coordination between the computers,such as load balancing.

In the architecture illustrated in FIG. 1, DPA 112 and DPA 124 arestandalone devices integrated within a SAN. Alternatively, each of DPA112 and DPA 124 may be integrated into storage system 108 and storagesystem 120, respectively, or integrated into host computer 104 and hostcomputer 116, respectively. Both DPAs communicate with their respectivehost computers through communication lines such as fiber channels using,for example, SCSI commands.

In accordance with an embodiment of the present invention, DPAs 112 and124 are configured to act as initiators in the SAN; i.e., they can issueI/O requests using, for example, SCSI commands, to access logical unitson their respective storage systems. DPA 112 and DPA 124 are alsoconfigured with the necessary functionality to act as targets; i.e., toreply to I/O requests, such as SCSI commands, issued by other initiatorsin the SAN, including inter alia their respective host computers 104 and116. Being target nodes, DPA 112 and DPA 124 may dynamically expose orremove one or more logical units.

As described hereinabove, Site I and Site II may each behavesimultaneously as a production site and a backup site for differentlogical units. As such, DPA 112 and DPA 124 may each behave as a sourceDPA for some logical units and as a target DPA for other logical units,at the same time.

In accordance with an embodiment of the present invention, host computer104 and host computer 116 include protection agents 144 and 164,respectively. Protection agents 144 and 164 intercept SCSI commandsissued by their respective host computers, via host devices to logicalunits that are accessible to the host computers. In accordance with anembodiment of the present invention, a data protection agent may act onan intercepted SCSI commands issued to a logical unit, in one of thefollowing ways:

Send the SCSI commands to its intended logical unit.

Redirect the SCSI command to another logical unit.

Split the SCSI command by sending it first to the respective DPA. Afterthe DPA returns an acknowledgement, send the SCSI command to itsintended logical unit.

Fail a SCSI command by returning an error return code.

Delay a SCSI command by not returning an acknowledgement to therespective host computer.

A protection agent may handle different SCSI commands, differently,according to the type of the command. For example, a SCSI commandinquiring about the size of a certain logical unit may be sent directlyto that logical unit, while a SCSI write command may be split and sentfirst to a DPA associated with the agent. A protection agent may alsochange its behavior for handling SCSI commands, for example as a resultof an instruction received from the DPA.

Specifically, the behavior of a protection agent for a certain hostdevice generally corresponds to the behavior of its associated DPA withrespect to the logical unit of the host device. When a DPA behaves as asource site DPA for a certain logical unit, then during normal course ofoperation, the associated protection agent splits I/O requests issued bya host computer to the host device corresponding to that logical unit.Similarly, when a DPA behaves as a target device for a certain logicalunit, then during normal course of operation, the associated protectionagent fails I/O requests issued by host computer to the host devicecorresponding to that logical unit.

Communication between protection agents and their respective DPAs mayuse any protocol suitable for data transfer within a SAN, such as fiberchannel, or SCSI over fiber channel. The communication may be direct, orvia a logical unit exposed by the DPA. In an embodiment of the presentinvention, protection agents communicate with their respective DPAs bysending SCSI commands over fiber channel.

In an embodiment of the present invention, protection agents 144 and 164are drivers located in their respective host computers 104 and 116.Alternatively, a protection agent may also be located in a fiber channelswitch, or in any other device situated in a data path between a hostcomputer and a storage system.

What follows is a detailed description of system behavior under normalproduction mode, and under recovery mode.

In accordance with an embodiment of the present invention, in productionmode DPA 112 acts as a source site DPA for LU A. Thus, protection agent144 is configured to act as a source side protection agent; i.e., as asplitter for host device A. Specifically, protection agent 144replicates SCSI I/O requests. A replicated SCSI I/O request is sent toDPA 112. After receiving an acknowledgement from DPA 124, protectionagent 144 then sends the SCSI I/O request to LU A. Only after receivinga second acknowledgement from storage system 108 may host computer 104initiate another I/O request.

When DPA 112 receives a replicated SCSI write request from dataprotection agent 144, DPA 112 transmits certain I/O informationcharacterizing the write request, packaged as a “write transaction”,over WAN 128 to DPA 124 on the target side, for journaling and forincorporation within target storage system 120.

DPA 112 may send its write transactions to DPA 124 using a variety ofmodes of transmission, including inter alia (i) a synchronous mode, (ii)an asynchronous mode, and (iii) a snapshot mode. In synchronous mode,DPA 112 sends each write transaction to DPA 124, receives back anacknowledgement from DPA 124, and in turns sends an acknowledgement backto protection agent 144. Protection agent 144 waits until receipt ofsuch acknowledgement before sending the SCSI write request to LU A.

In asynchronous mode, DPA 112 sends an acknowledgement to protectionagent 144 upon receipt of each I/O request, before receiving anacknowledgement back from DPA 124.

In snapshot mode, DPA 112 receives several I/O requests and combinesthem into an aggregate “snapshot” of all write activity performed in themultiple I/O requests, and sends the snapshot to DPA 124, for journalingand for incorporation in target storage system 120. In snapshot mode DPA112 also sends an acknowledgement to protection agent 144 upon receiptof each I/O request, before receiving an acknowledgement back from DPA124.

For the sake of clarity, the ensuing discussion assumes that informationis transmitted at write-by-write granularity.

While in production mode, DPA 124 receives replicated data of LU A fromDPA 112, and performs journaling and writing to storage system 120. Whenapplying write operations to storage system 120, DPA 124 acts as aninitiator, and sends SCSI commands to LU B.

During a recovery mode, DPA 124 undoes the write transactions in thejournal, so as to restore storage system 120 to the state it was at, atan earlier time.

As described hereinabove, in accordance with an embodiment of thepresent invention, LU B is used as a backup of LU A. As such, duringnormal production mode, while data written to LU A by host computer 104is replicated from LU A to LU B, host computer 116 should not be sendingI/O requests to LU B. To prevent such I/O requests from being sent,protection agent 164 acts as a target site protection agent for hostDevice B and fails I/O requests sent from host computer 116 to LU Bthrough host Device B.

In accordance with an embodiment of the present invention, targetstorage system 120 exposes a logical unit 176, referred to as a “journalLU”, for maintaining a history of write transactions made to LU B,referred to as a “journal”. Alternatively, journal LU 176 may be stripedover several logical units, or may reside within all of or a portion ofanother logical unit. DPA 124 includes a journal processor 180 formanaging the journal.

Journal processor 180 functions generally to manage the journal entriesof LU B. Specifically, journal processor 180 (i) enters writetransactions received by DPA 124 from DPA 112 into the journal, bywriting them into the journal LU, (ii) applies the journal transactionsto LU B, and (iii) updates the journal entries in the journal LU withundo information and removes already-applied transactions from thejournal. As described below, with reference to FIGS. 2 and 3A-3D,journal entries include four streams, two of which are written whenwrite transaction are entered into the journal, and two of which arewritten when write transaction are applied and removed from the journal.

Reference is now made to FIG. 2, which is a simplified illustration of awrite transaction 200 for a journal, in accordance with an embodiment ofthe present invention. The journal may be used to provide an adaptor foraccess to storage 120 at the state it was in at any specified point intime. Since the journal contains the “undo” information necessary torollback storage system 120, data that was stored in specific memorylocations at the specified point in time may be obtained by undoingwrite transactions that occurred subsequent to such point in time.

Write transaction 200 generally includes the following fields:

one or more identifiers;

a time stamp, which is the date & time at which the transaction wasreceived by source side DPA 112;

a write size, which is the size of the data block;

a location in journal LU 176 where the data is entered;

a location in LU B where the data is to be written; and

the data itself.

Write transaction 200 is transmitted from source side DPA 112 to targetside DPA 124. As shown in FIG. 2, DPA 124 records the write transaction200 in four streams. A first stream, referred to as a DO stream,includes new data for writing in LU B. A second stream, referred to asan DO METADATA stream, includes metadata for the write transaction, suchas an identifier, a date & time, a write size, a beginning address in LUB for writing the new data in, and a pointer to the offset in the dostream where the corresponding data is located. Similarly, a thirdstream, referred to as an UNDO stream, includes old data that wasoverwritten in LU B; and a fourth stream, referred to as an UNDOMETADATA, include an identifier, a date & time, a write size, abeginning address in LU B where data was to be overwritten, and apointer to the offset in the undo stream where the corresponding olddata is located.

In practice each of the four streams holds a plurality of writetransaction data. As write transactions are received dynamically bytarget DPA 124, they are recorded at the end of the DO stream and theend of the DO METADATA stream, prior to committing the transaction.During transaction application, when the various write transactions areapplied to LU B, prior to writing the new DO data into addresses withinthe storage system, the older data currently located in such addressesis recorded into the UNDO stream.

By recording old data, a journal entry can be used to “undo” a writetransaction. To undo a transaction, old data is read from the UNDOstream in a reverse order, from the most recent data to the oldest data,for writing into addresses within LU B. Prior to writing the UNDO datainto these addresses, the newer data residing in such addresses isrecorded in the DO stream.

The journal LU is partitioned into segments with a pre-defined size,such as 1 MB segments, with each segment identified by a counter. Thecollection of such segments forms a segment pool for the four journalingstreams described hereinabove. Each such stream is structured as anordered list of segments, into which the stream data is written, andincludes two pointers—a beginning pointer that points to the firstsegment in the list and an end pointer that points to the last segmentin the list.

According to a write direction for each stream, write transaction datais appended to the stream either at the end, for a forward direction, orat the beginning, for a backward direction. As each write transaction isreceived by DPA 124, its size is checked to determine if it can fitwithin available segments. If not, then one or more segments are chosenfrom the segment pool and appended to the stream's ordered list ofsegments.

Thereafter the DO data is written into the DO stream, and the pointer tothe appropriate first or last segment is updated. Freeing of segments inthe ordered list is performed by simply changing the beginning or theend pointer. Freed segments are returned to the segment pool for re-use.

A journal may be made of any number of streams including less than ormore than 5 streams. Often, based on the speed of the journaling andwhether the back-up is synchronous or a synchronous a fewer or greaternumber of streams may be used.

Read/Write Replication

Refer now to the example embodiment of FIG. 3, which illustratesreplicating IO. In the example embodiment of FIG. 3, Production Site 300has Machine 331, Machine 332, and Machine 333. Machine 331 sends Read IO305 to storage 350. Machine 332 sends IO command 332 to storage 350.Machine 333 sends Write IO 308 to Storage 350.

Storage 350 has splitter 375 and Volume 1 371, Volume 2 372, and Volume3 373. Read IO 305, IO command 306, and Write IO 308 are intercepted atsplitter 375. Refer now as well to FIG. 4 A. Splitter 375 receives ReadIO 305 (step 400). Splitter 375 determines if Read IO 305 is a write IO(step 410). Read IO 305 is not a write IO so Splitter 375 determines ifRead IO 305 is a read IO (step 420). As Read IO 305 is a read IO,Splitter 375 replicates the metadata of Read IO 305 to RPA 328 (step425). Splitter 375 receives IO command 306 (step 400). Splitter 375determines if IO command 306 is a write IO (step 410). IO command 306 isnot a write IO so Splitter 375 determines if IO command 306 is a read IO(step 420), where an IO command may be xcopy command or write samecommand or another command. As IO command 306 is not a read IO, Splitter375 determines if IO command 306 is an IO command (step 430). Splitter375 replicates the metadata of IO command 306 to RPA 328 (step 435).Splitter 375 receives Write IO 308 (step 400). Splitter 375 determinesif receives Write IO 308 is a write IO (step 410). As receives Write IO308 is a write IO, Splitter 375 replicates Write IO 308 to RPA 328 (step415).

Refer now to the example embodiments of FIGS. 4b and 5. Point in time571 is accessed (step 450). Point in time 571 is mounted (step 455). Thefile system on point in time is parsed (step 460). Point in time 571 isanalyzed (step 465). As noted in FIG. 5, PIT 571 has read access 580 andwrite access 581 denoting the read and write access to point in time571.

Refer now to the example embodiment of FIG. 6, which illustrates asplitter integrated into a storage. In FIG. 6, production site 600 hashypervisor 610. Hypervisor 610 has VM 631 and VM 632. VM 631 sends IO605 to VMDK 671, which is in VMFS 665, stored on volume 660 on storagearray 650. In this embodiment, IO 605 is intercepted by splitter 675before being sent to volume 660 respectively. In this embodiment,Hypervisor 610 abstracts storage 650 and volume 660 from VMs 631 and 632by presenting each VM with an associated virtual machine disk. VMS 631and 632 have no knowledge of storage 650 splitter 675 or volume 660,rather are aware of their respective VMDKs. In this embodimenthypervisor 610 has no knowledge of splitter 675. In most embodiments, asa storage based splitter may spit IOs at a storage level, a hypervisormay not be able to tamper with IOs in a storage array with the splitter.In almost all embodiments, a storage based splitter may not haveknowledge of virtual machines in a hypervisor, even if the hypervisor istampered with to try and hide activities of or existence of one or morevirtual machines. In many embodiments, the intercepted IO may be a readIO, a write IO, or an IO command. In the embodiment of FIG. 6, it may benecessary to parse the VMDKS find the information in the VMDK.

Refer now as well to the example embodiments of FIG. 7a . Splitter 675receives Read IO 605 (step 400). Splitter 675 determines if Read IO 605is a write IO (step 410). Read IO 605 is not a write IO so Splitter 675determines if Read IO 605 is a read IO (step 420). As Read IO 605 is aread IO, Splitter 675 replicates the metadata of Read IO 605 to RPA 628(step 425). Splitter 675 receives IO command 606 (step 400). Splitter675 determines if IO command 606 is a write IO (step 410). Read IO 605is not a write IO so Splitter 675 determines if IO command 606 is a readIO (step 420). As IO command 606 is not a read IO, Splitter 675determines if IO command 606 is an IO command (step 430). Splitter 675replicates the metadata of IO command 606 to RPA 328 (step 435).Splitter 675 receives Write IO 608 (step 400). Splitter 675 determinesif receives Write IO 608 is a write IO (step 410). As receives Write IO608 is a write IO, Splitter 675 replicates Write IO 608 to RPA 628 (step415).

Refer now to the example embodiments of FIGS. 7b and 8. Point in time871 is accessed (step 750). Point in time 871 is mounted (step 755). TheVMFS on point in time is parsed (step 760). A virtual machine isdetected (step 761) VMDK 871 is parsed (step 762). Point in time 871 isanalyzed (step 765). As noted in FIG. 5, PIT 871 has read access 880 andwrite access 881 denoting the read and write access to point in time871.

In other embodiments, a splitter may be located in a hypervisor. In anembodiment where a splitter is located in a hypervisor, it may not benecessary to parse the VMFS level, as the IOs are intercepted at thevirtual disk (VMDK) level. In certain embodiments, if IOs areintercepted at a hypervisor it may be possible to intercept IOs to avirtual disk, which may enable a point in time to be examined withouthaving to perform parsing.

In certain embodiments, database information about virtual machines mayinclude the number of virtual machines. In other embodiments, databaseinformation may include information about files stored on virtualmachines. In further embodiments, database information may includeinformation about what actions virtual machines are performing, forexample the IO activity of the VM as deduced from IO in the journal maybe stored in the database. In many embodiments, the files accessed andthe actions performed may be recorded in the database.

Refer now to the example embodiment of FIG. 9, which illustrates asplitter integrated into a hypervisor. In FIG. 9, production site 900has hypervisor 910. Hypervisor 910 has VM 931, VM 932, VM 933, andsplitter 975. VM 931 sends Read IO 905 to VMDK 971, which is in VMFS965, stored on volume 960 on storage array 950. VM 932 sends IO Command906 to VMDK 972, which is in VMFS 965, stored on volume 960 on storagearray 950. VM 933 sends write IO 908 to VMDK 973, which is in VMFS 965,stored on volume 960 on storage array 950.

In this embodiment, IOs 905, 906 and 908 are intercepted by splitter 975before they are sent to storage 950. In FIG. 8, as replication isperformed at the hypervisor level, each virtual machine is enabled to bereplicated at the VMDK level.

Refer now as well to the example embodiment of FIG. 10a . Splitter 975receives Read IO 905 (step 1000). Splitter 975 determines if Read IO 905is a write IO (step 1010). Read IO 905 is not a write IO so Splitter 975determines if Read IO 905 is a read IO (step 1020). As Read IO 905 is aread IO, Splitter 975 replicates the metadata of Read IO 905 to RPA 928(step 1025). Splitter 975 receives IO command 906 (step 1000). Splitter975 determines if IO command 906 is a write IO (step 1010). Read 109 isnot a write IO so Splitter 975 determines if IO command 606 is a read IO(step 1020). As IO command 906 is not a read IO, Splitter 975 determinesif IO command 606 is an IO command (step 1030). Splitter 975 replicatesthe metadata of IO command 906 to RPA 328 (step 1035). Splitter 975receives Write IO 908 (step 1000). Splitter 975 determines if receivesWrite IO 908 is a write IO (step 1010). As receives Write IO 908 is awrite IO, Splitter 975 replicates Write IO 908 to RPA 928 (step 1015).

Refer now to the example embodiments of FIGS. 10b and 11. Point in time1171 is accessed (step 1050). Point in time 1171 is mounted (step 1055).File system in VMDK is parsed (step 1060) Point in time 1171 is analyzed(step 1065). As noted in FIG. 5, PIT 1071 has read access 1180 and writeaccess 1181 denoting the read and write access to point in time 1171.

In some embodiments, an outside trigger may cause a point in time to bemounted and analyzed. In other embodiments, information about read andwrite access may be stored in a database. In certain embodiments, an RPAmay periodically mount a point in time to update a database describingmachines being replicated. In other embodiments, an RPA may be set tomount a point in time in response to an event detected by a splitter. Infurther embodiments, an event that may cause a point in time to bemounted to update a database may be creation of a virtual machine. Inmost embodiments, a database may contain a listing of machines and otherinformation about the machines such as files accessed and processesstarted. In some embodiments, a database may contain a configuration ofeach machine. In certain embodiments, a database may contain changes tomachine configurations. In some embodiments, a database may contain theoperating system of the machine. In at least some embodiments, adatabase may contain an activity metric of the machines. In at least oneembodiment, a database may contain IO memory activity.

In many embodiments, a database recording machine activity may beregularly analyzed. In most embodiments, suspicious activity may befound by analyzing activity found in a machine database. In certainembodiments, where a database is updated each time a virtual machine iscreated or deleted, the database may catalog each virtual machine thatexisted in a hypervisor in a given period of time. In certainembodiments, a database may capture suspicious activity of short livedvirtual machines. In some embodiments, use of a high amount of storagemay trigger one or more entries in a database. In other embodiments,high use of network resources may trigger one or more entries in adatabase. In other embodiments, different events or actions may triggerone or more entries in a database. In a particular embodiment, leakprevention software may trigger one or more entries in a database. Inmost embodiments, suspicious activity may be found by analyzing adatabase.

In certain embodiments, once a virtual machine is suspected ofsuspicious activity, the virtual machine may be restored by returningthe replica volume to the timestamp when the virtual machine existed. Inother embodiments, if a machine is suspected of suspicious activity at apoint in time, that point in time may be restored and analyzed. In mostembodiments, a restored point in time of a machine may be analyzed tosee what data the machine had and what actions it performed. In furtherembodiments, a suspicious time period may be identified and points intime for these machines within the suspicious time period may berestored an analyzed. In further embodiments, a suspicious time periodmay be identified by an external tool.

In some embodiments, a system may detect suspicious activities bymounting a file system looking for new files and detecting new file datais encrypted.

In many embodiments, files that have been accessed maybe detected. Incertain embodiments, accessed files may be detected by parsing a filesystem. In some embodiments, a file system may be on a virtual disk andthe virtual machine disk and or the virtual machine file system storingthe virtual machine disk may need to be parsed to determine what fileshave been accessed. In most embodiments, by parsing a file system it maybe able to determine addresses on the disk corresponding to where eachfile is stored. In certain embodiments, a database may hold mapping fromfiles to blocks on which the files reside. In most embodiments, using aparsed file system metadata of reads may indicate the list of reads thatoccurred during the period, which may indicate which files whereaccessed. In most embodiments, a system may detect which files whereread, and from the files that were read, it may be possible to indicatewhich files were read from the beginning to the end. In manyembodiments, if a whole file was read, it may indicate a strongsuspicion that the file was stolen. In certain embodiments, based onfiles that are suspected as stolen and based on the file type andcontent, the system may filter important files (like docs) and thuscreate a list of suspected stolen files. In further embodiments, bycomparing read metadata with write metadata and or command metadata, itmay be possible to determine commands performed on the read data.

The methods and apparatus of this invention may take the form, at leastpartially, of program code (i.e., instructions) embodied in tangiblemedia, such as floppy diskettes, CD-ROMs, hard drives, random access orread only-memory, or any other machine-readable storage medium. When theprogram code is loaded into and executed by a machine, such as thecomputer of FIG. 12, the machine becomes an apparatus for practicing theinvention. When implemented on one or more general-purpose processors,the program code combines with such a processor 1203 to provide a uniqueapparatus that operates analogously to specific logic circuits. As sucha general purpose digital machine can be transformed into a specialpurpose digital machine. FIG. 13 shows Program Logic 1310 embodied on acomputer-readable medium 1320 as shown, and wherein the Logic is encodedin computer-executable code configured for carrying out the reservationservice process of this invention and thereby forming a Computer ProgramProduct 1300. The logic 1310 may be the same logic 1240 on memory 1204loaded on processor 1203. The program logic may also be embodied insoftware modules, as modules, or as hardware modules.

The logic for carrying out the method may be embodied as part of thesystem described below, which is useful for carrying out a methoddescribed with reference to embodiments shown in, for example, FIGS. 4,7, and 10. For purposes of illustrating the present invention, theinvention is described as embodied in a specific configuration and usingspecial logical arrangements, but one skilled in the art will appreciatethat the device is not limited to the specific configuration but ratheronly by the claims included with this specification. A processor may bea physical or virtual processor.

Although the foregoing invention has been described in some detail forpurposes of clarity of understanding, it will be apparent that certainchanges and modifications may be practiced within the scope of theappended claims. Accordingly, the present implementations are to beconsidered as illustrative and not restrictive, and the invention is notto be limited to the details given herein, but may be modified withinthe scope and equivalents of the appended claims.

What is claimed is:
 1. A system comprising: an image; and a journal; thejournal having read metadata, write data; and write metadata; whereinthe write data and metadata enable the image to be rolled to differentpoints in time within a protection window; wherein the read metadatacorresponds to reads within the protection window; computer-executablelogic operating in memory, wherein the computer-executable program logicis configured to enable execution across one or more processors of:rolling the image to a point in time in the protection window byapplying the write data using the write metadata; and examining the readmetadata, write data, and write metadata to determine if the image wasaccessed by an intruder.
 2. The system of claim 1 wherein the examiningcomprises determining what files on the image were accessed during aperiod of time following the point in time to which the image wasrolled.
 3. The system of claim 2 wherein the examining further comprisesdetermining whether an accessed file was encrypted.
 4. The system ofclaim 2 wherein determining what files on the image were access includesparsing a file system on the image for files and mapping read metadatato the files.
 5. The system of claim 2 wherein the examining furthercomprises determining if a file was read from beginning to end.
 6. Thesystem of claim 5 wherein a list of files suspected to be stolen iscreated based on the files that were determined to have been read. 7.The system of claim 6 wherein the logic is further configured to enablenotifying a user of the list of suspected files.
 8. A computerimplemented method comprising: rolling an image to a point in time in aprotection window by applying the write data using the write metadata;where the write data is stored in a journal; where the journal also haswrite metadata and read metadata; where the wherein the write data andmetadata enable the image to be rolled to different points in timewithin a protection window; wherein the read metadata corresponds toreads within the protection window; and examining the read metadata,write data, and write metadata to determine if the image was accessed byan intruder.
 9. The method of claim 8 wherein the examining comprisesdetermining what files on the image were accessed during a period oftime following the point in time to which the image was rolled.
 10. Themethod of claim 9 wherein the examining further comprises determiningwhether an accessed file was encrypted.
 11. The method of claim 10wherein determining what files on the image were access includes parsinga file system on the image for files and mapping read metadata to thefiles.
 12. The method of claim 9 wherein the examining further comprisesdetermining if a file was read from beginning to end.
 13. The method ofclaim 12 wherein a list of files suspected to be stolen is created basedon the files that were determined to have been read.
 14. The method ofclaim 13 further comprising notifying a user of the list of suspectedfiles
 15. A computer program product comprising: a non-transitorycomputer readable medium encoded with computer executable program code,wherein the code enables execution across one or more processors of:rolling an image to a point in time in a protection window by applyingthe write data using the write metadata; where the write data is storedin a journal; where the journal also has write metadata and readmetadata; where the wherein the write data and metadata enable the imageto be rolled to different points in time within a protection window;wherein the read metadata corresponds to reads within the protectionwindow; and examining the read metadata, write data, and write metadatato determine if the image was accessed by an intruder.
 16. The computerprogram product of claim 15 wherein the examining comprises determiningwhat files on the image were accessed during a period of time followingthe point in time to which the image was rolled.
 17. The computerprogram product of claim 16 wherein the examining further comprisesdetermining whether an accessed file was encrypted.
 18. The computerprogram product of claim 16 wherein determining what files on the imagewere access includes parsing a file system on the image for files andmapping read metadata to the files.
 19. The computer program product ofclaim 15 wherein the examining further comprises determining if a filewas read from beginning to end.
 20. The computer program product ofclaim 12 wherein a list of files suspected to be stolen is created basedon the files that were determined to have been read.